updates on and version 3...updates on cloc and silc version 3 tetsu iwata*, kazuhiko minematsu, jian...
TRANSCRIPT
![Page 1: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/1.jpg)
Updates on CLOC and SILC Version 3
Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, Sumio Morioka, and Eita Kobayashi
DIAC 2016September 26, 2016, Nagoya, Japan
* Supported in part by JSPS KAKENHI, Grant‐in‐Aid for Scientific Research (B), Grant Number 26280045
![Page 2: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/2.jpg)
Outline
• Review of the schemes– Specification of CLOC and SILC, security, implementation
• Updates from version 2 to version 3• Discussion• Future plan
2
![Page 3: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/3.jpg)
CLOC and SILC
• CLOC [1]– Compact Low‐Overhead CFB, FSE 2014– Suitable for handling short input data on small microprocessors
• SILC [2]– SImple Lightweight CFB, DIAC 2014– Hardware oriented version of CLOC
3[1] Iwata, Minematsu, Guo, Morioka: CLOC: Authenticated Encryption for Short Input. FSE 2014[2] Iwata, Minematsu, Guo, Morioka, Kobayashi: SILC: SImple Lightweight CFB. DIAC 2014
![Page 4: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/4.jpg)
Overview of CLOC and SILC
• HASH and PRF: variants of CBC‐MAC• ENC: variant of CFB encryption mode
4
![Page 5: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/5.jpg)
Parameters of CLOC and SILC
• : blockcipher• : nonce length• : tag length
5
![Page 6: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/6.jpg)
CLOC v3
6
![Page 7: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/7.jpg)
SILC v3
7
![Page 8: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/8.jpg)
Security of CLOC and SILC
• CLOC and SILC are provably secure up to the standard birthday bound– Privacy: against nonce‐respecting adversaries– Authenticity: against nonce‐reusing adversaries
– /2 , is the number of total blocks, is the block length in bits
8
![Page 9: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/9.jpg)
Implementation
• A: associated data of a blocks• M: a plaintext of m blocks• CLOC
– 1 + a + 2m blockcipher calls when |A| ≥ 1– 2 + 2m calls when |A| = 0– No precomputation beyond the blockcipher key schedule
• SILC– 3 + a + 2m blockcipher calls– No precomputation beyond the blockcipher key schedule
9
![Page 10: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/10.jpg)
Software Implementation
• CLOC and SILC with AES (from DIAC 2015)– Intel (R) Core (TM) i5‐4570 3.20GHz (Haswell family), AES‐128, AES‐NI
– CLOC and SILC run at 4.56 cpb• seral AES runs at 4.44 cpb, very close to the speed of seral AES
• Latest performance at public benchmark (SUPERCOP)– Intel (R) Core (TM) i5‐6600 (Skylake) :– 2.82 cpb for long messages, 7.81 cpb for 64‐byte messages
10
![Page 11: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/11.jpg)
Software Implementation
• Intel (R) Core (TM) i5‐4570 3.20GHz (Haswell family), long messages (2048 bytes), vperm (vector permutation)– [update] CLOC with TWINE runs at 14.6 cpb– SILC with Present runs at about 70 cpb– SILC with LED runs at about 130 cpb
• CLOC Implementations on Atmel AVR ATmega128 (FSE 2014)– 8‐bit microprocessor– the RAM usage is low and Init is fast, and it is fast for short input data, up to around 128 bytes
11
![Page 12: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/12.jpg)
Hardware Implementation(from DIAC 2015)
• ASIC implementation– reference implementation (non‐optimized, encryption‐and‐decryption implemented)
– Environment: 90nm standard cell library with logic synthesis done by Synopsys DC Version D‐2010.03‐SP1‐1
• CLOC
in GE (Gate Equivalent)12
AES TWINEAES128_CLOC 18991.5 TWINE80_CLOC 5917.8 AES Core 10207.8 TWINE Core 1459.5 ratio 1.9 ratio 4.1
![Page 13: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/13.jpg)
Hardware Implementation(from DIAC 2015)
• ASIC implementation– reference implementation (non‐optimized, encryption‐and‐decryption implemented)
– Environment: 90nm standard cell library with logic synthesis done by Synopsys DC Version D‐2010.03‐SP1‐1
• SILC
in GE (Gate Equivalent)13
AES TWINE PRESENTAES128_SILC 17466.0 TWINE80_SILC 5178.0 PRESENT80_CLOC 5532.3 AES Core 10207.8 TWINE Core 1459.5 PRESENT Core 1817.3 ratio 1.7 ratio 3.5 ratio 3.0
![Page 14: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/14.jpg)
Hardware Implementation
• Area optimized ASIC implementation with dedicated API [Banik, Bogdanov, Minematsu, DIAC 2015]
• Reference implementations were submitted to ATHENa
14
Design Area ( ) Area (GE)AES128_CLOC Aggressive 13672.8 3107AES128_CLOC Conservative 18966.5 4311AES128_SILC Aggressive 13678.3 3109AES128_SILC Conservative 18100.0 4114
![Page 15: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/15.jpg)
Outline
• Review of the schemes– Specification of CLOC and SILC, security, implementation
• Updates from version 2 to version 3• Discussion• Future plan
15
![Page 16: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/16.jpg)
CLOC v2
16
![Page 17: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/17.jpg)
CLOC v3
17
![Page 18: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/18.jpg)
Updates from Version 2 to 3
• No changes in specifications (both for CLOC and SILC)• Two submission documents, “CLOC v2” and “SILC v2,” were
merged into one submission “CLOC and SILC v3”– following the request by CAESAR
• Recommended parameter sets– 3 in “CLOC v2”aes128n12t8clocv2, aes128n8t8clocv2, twine80n6t4clocv2
– 4 in “SILC v2”aes128n12t8silcv2, aes128n8t8silcv2, present80n6t4silcv2, led80n6t4silcv2
– 3 + 4 = 7 ‐> 5 in “CLOC and SILC v3”
18
![Page 19: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/19.jpg)
Updates from Version 2 to 3
• 5 recommended parameter sets for “CLOC and SILC v3”• specified the ordering:
1. aes128n12t8clocv32. aes128n12t8silcv33. twine80n6t4clocv34. present80n6t4silcv35. led80n6t4silcv3
• dropped aes128n8t8clocv2 and aes128n8t8silcv2
19
![Page 20: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/20.jpg)
Updates from Version 2 to 3
• CAESAR Use Cases: – Use Case 1: Lightweight applications– Use Case 2: High‐performance applications– Use Case 3: Defense in depth
• Targeted use cases of 5 recommended parameter sets1. aes128n12t8clocv3 Use Case 12. aes128n12t8silcv3 Use Case 13. twine80n6t4clocv3 Use Case 14. present80n6t4silcv3 Use Case 15. led80n6t4silcv3 Use Case 1
• CLOC and SILC have some features of Use Case 3, but this is not a targeted use case 20
![Page 21: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/21.jpg)
Other Updates
• n=96 is listed as a possible choice of the block length of the underlying blockcipher
• added Simon and Speck as possible options
21
![Page 22: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/22.jpg)
Outline
• Review of the schemes– Specification of CLOC and SILC, security, implementation
• Updates from version 2 to version 3• Discussion• Future plan
22
![Page 23: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/23.jpg)
History: CCM, EAX, and EAX‐prime
• CCM (NIST SP 800‐38C)– complex specification, not online, a number of limitations were pointed out [3]
• EAX (ISO/IEC 19772)– simple design, AES‐CMAC plus AES‐CTR– provably secure– precomputation cost (EK(0), EK(1), and EK(2)) can be an issue for highly constrained devices; time and memory
23[3] Rogaway, Wagner: A Critique of CCM. IACR ePrint 2003/070
![Page 24: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/24.jpg)
History: CCM, EAX, and EAX‐prime
• EAX‐prime (ANSI C12.22)– reduces precomputation complexity of EAX– efficiently handles short input data with small memory
• was not proposed with a proof of security– standardized by ANSI for Smartgrid– ANSI pushed EAX‐prime to NIST, and NIST requested public comments for inclusion of it into NIST SP‐800 series
– EAX‐prime was seriously broken [4]• single‐query forgery etc.• was not adopted in the NIST standard
24[4] Minematsu, Lucks, Morita, Iwata: Attacks and Security Proofs of EAX‐Prime. FSE 2013
![Page 25: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/25.jpg)
From CCM, EAX, and EAX‐prime to CLOC and SILC
• There is a public need for a scheme like CCM, EAX, and EAX‐prime:– constrained devices, blockcipher‐based, design simplicity, small footprint
– low memory requirement, low precomputation complexity, and provable security
• CCM ‐> EAX ‐> EAX‐prime ‐> CLOC and SILC– catch “the public need”
25
![Page 26: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/26.jpg)
64‐bit blockciphers
• 64‐bit blockciphers are in use: – TDES, Kasumi, Present,…
• Many new designs for lightweight applications– LED, TWINE, Prince, Midori, Rectangle,…
• a blockcipher cannot be used by itself – encryption mode, MAC for authentication, AE mode– in modes, block length matters, not for general purpose applications
– for low‐powered, small‐bandwidth, or limited‐lifetime communications
26
![Page 27: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/27.jpg)
64‐bit blockciphers
• showing “the right way” of using 64‐bit blockciphers to the outside world is important– Generic composition works– CCM and GCM are for 128‐bit blockciphers
• there is a 64‐bit block version of GCM– CLOC and SILC give one right way
27
![Page 28: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/28.jpg)
Outline
• Review of the schemes– Specification of CLOC and SILC, security, implementation
• Updates from version 2 to version 3• Discussion• Future plan
28
![Page 29: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/29.jpg)
Future Plan
• Future plan (from DIAC 2015, still in progress):– Analysis of CLOC and SILC in terms of INT‐RUP security– Designing a variant of SILC for empty associated data
29
![Page 30: Updates on and Version 3...Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, SumioMorioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan](https://reader033.vdocuments.us/reader033/viewer/2022051923/6011acfc3d36ca1a734b479b/html5/thumbnails/30.jpg)
Thank you
• Review of the schemes– Specification of CLOC and SILC, security, implementation
• Updates from version 2 to version 3• Discussion• Future plan
• Web site:– http://www.nuee.nagoya‐u.ac.jp/labs/tiwata/AE/– documents, slides, test vectors
30